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DETAILED ACTION 

1 . Claims 1-5 have been examined. 

Drawings 

2. The drawings are objected to as failing to comply with 37 CFR 1 .84(p)(5) because they 
do not include the following reference sign(s) mentioned in the description: 10, 12, 14, 16, 18, 
20, 134, 136, 138, 140, 142, and 144. 

Corrected drawing sheets in compliance with 37 CFR 1.121(d) are required in reply to 
the Office action to avoid abandonment of the application. Any amended replacement drawing 
sheet should include all of the figures appearing on the immediate prior version of the sheet, 
even if only one figure is being amended. Each drawing sheet submitted after the filing date of 
an application must be labeled in the top margin as either "Replacement Sheet" or "New Sheet" 
pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will 
be notified and informed of any required corrective action in the next Office action. The 
objection to the drawings will not be held in abeyance. 

Specification 

3. Applicant is requested to provide the missing serial numbers for the related cases cited in 
paragraph [0001]. 

4. The- specification is objected to because reference characters "140" and "142", although 
not present in the drawings (see the drawing objection above), appear to have been used to 
designate multiple elements (140 appears to describe a vulnerability assessment in paragraph 
[0010] and rectangular entities in paragraph [01 12]; 142 appears to describe a vulnerability 
database in paragraph [0010] and ovals in paragraph [0112]). 
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Claim Rejections - 35 USC § 101 

5. 35 U.S.C. 101 reads as follows: 

Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or 
any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and 
requirements of this title. 

6. Claims 1-5 are rejected under 35 U.S.C. 101 because the claimed invention is directed to 
non-statutory subject matter. 

Descriptive material can be characterized as either "functional descriptive material" or 
"nonfunctional descriptive material." In this context, "functional descriptive material" consists 
of data structures and computer programs which impart functionality when employed as a 
computer component. (The definition of "data structure" is "a physical or logical relationship 
among data elements, designed to support specific data manipulation functions." The New IEEE 
Standard Dictionary of Electrical and Electronics Terms 308 (5th ed. 1993).) "Nonfunctional 
descriptive material" includes but is not limited to music, literary works and a compilation or 
mere arrangement of data. Both types of "descriptive material" are nonstatutory when claimed 
as descriptive material perse. In re Warmerdam, 33 F.3d 1354, 1361, 31 USPQ2d 1754, 1760 
(claim to a data structure per se held nonstatutory). 

Data structures not claimed as embodied in computer-readable media are descriptive 
material per se and are not statutory because they are not capable of causing functional change in 
the computer. See, e.g., In re Warmerdam, 33 F.3d 1354, 1361, 31 USPQ2d 1754, 1760 (claim to 
a data structure per se held nonstatutory). Such claimed data structures do not define any 
structural and functional interrelationships between the data structure and other claimed aspects 
of the invention which permit the data structure's functionality to be realized. In contrast, a 
claimed computer-readable medium encoded with a data structure defines structural and 



Application/Control Number: 10/824,685 Page 4 

Art Unit: 2192 

functional interrelationships between the data structure and the computer software and hardware 
components which permit the data structure's functionality to be realized, and is thus statutory. 

Similarly, computer programs claimed as computer listings per se, i.e., the descriptions or 
expressions of the programs, are not physical "things." They are neither computer components 
nor statutory processes, as they are not "acts" being performed. Such claimed computer 
programs do not define any structural and functional interrelationships between the computer 
program and other claimed elements of a computer which permit the computer program's 
functionality to be realized. In contrast, a claimed computer-readable medium encoded with a 
computer program is a computer element which defines structural and functional 
interrelationships between the computer program and the rest of the computer which permit the 
computer program's functionality to be realized, and is thus statutory. See In re Lowry, 32 F.3d 
1579, 1583-84, 32 USPQ2d 1031, 1035. 

Claims 4 and 5 recite a "system" comprising a series of elements that can be reasonably 
interpreted as software, per se. The claim does not define any structural and functional 
interrelationships between the software elements and a computer that would permit the described 
functionality to be realized when the software is employed as a computer component. 
Accordingly, claims 4 and 5 appear to merely set forth functional descriptive material per se, 
which is nonstatutory. 

A claim that requires one or more acts to be performed defines a process. However, not 
all processes are statutory under 35 U.S.C. § 101. To be statutory, a claimed process must either: 
(A) result in a physical transformation for which a practical application is either disclosed in the 
specification or would have been known to a skilled artisan, or (B) be limited to a practical 
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application which produces a useful, tangible, and concrete result. See Diamond v. Diehr, 450 
U.S. 175, 183-84, 209 USPQ 1, 9 (1981) (quoting Cochrane v. Deener, 94 U.S. 780, 787-88 
(1876)) ("A [statutory] process is a mode of treatment of certain materials to produce a given 
result. It is an act, or a series of acts, performed upon the subject-matter to be transformed and 
reduced to a different state or thing .... The process requires that certain things should be done 
with certain substances, and in a certain order; but the tools to be used in doing this may be of 
secondary consequence."). See also In re Alappat, 33 F.3d 1526, 1543, 31 USPQ2d 1545, 1556- 
57 (quoting Diehr, 450 U.S. at 192, [209 USPQ at 10]). 

In State Street, the Federal Circuit examined some of its prior section 101 cases, 
observing that the claimed inventions in those cases were each for a "practical application of an 
abstract idea" because the elements of the invention operated to produce a "useful, concrete and 
tangible result." State St. Bank & Trust v. Signature Fin. Group, 149 F.3d 1368, 1373-74, 47 
USPQ2d 1596, 1601-02 (Fed Cir. 1998). For example, the court in State Street noted that the 
claimed invention in Alappat "constituted a practical application of an abstract idea (a 
mathematical algorithm, formula, or calculation), because it produced 'a useful, concrete and 
tangible result' — the smooth waveform." Id. Similarly, the claimed invention in Arrhythmia 
"constituted a practical application of an abstract idea (a mathematical algorithm, formula, or 
calculation), because it corresponded to a useful, concrete and tangible thing — the condition of a 
patient's heart." Id. (citing Arrhythmia Research Tech. V. Corazonix Corp., 958 F.2d 1053, 22 
USPQ2d 1033 (Fed. Cir. 1992)). 

In determining whether the claim is for a "practical application," the focus is not on 
whether the steps taken to achieve a particular result are useful, tangible and concrete, but rather 
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that the final result is "useful, tangible and concrete." The Federal Circuit further ruled that it is 
of little relevance whether a claim is directed to a machine or process for the purpose of a § 101 
analysis. AT&T Corp. v. Excel Commc'ns, 172 F.3d 1352, 1358, 50USPQ2d 1447, 1451 (Fed. 
Cir. 1999). 

Claims 1-5 are directed to methods (claims 1-3) and systems (claims 4 and 5) for 
detecting vulnerabilities in source code. This claimed subject matter lacks a practical application 
of a judicial exception (law of nature, abstract idea, naturally occurring article/ phenomenon) 
since it fails to produce a useful, concrete and tangible result. Specifically, the claimed subject 
matter does not produce a tangible result because the claimed subject matter fails to produce a 
result that is limited to having real world value rather than a result that may be interpreted to be 
abstract in nature as, for example, a thought, a computation, or manipulated data. More 
specifically, the claimed subject matter describes at best the performing of a process that is not 
tied to any particular tangible output capable of being, for example, stored, displayed, or 
conveyed in any manner causing any useful functional or structural change in a computer system 
so as to achieve a practical application. This produced result remains in the abstract and, thus, 
fails to achieve the required status of having real world value. 

7. To expedite a complete examination of the instant application, the claims rejected under 
35 U.S.C. §101 (non-statutory) above are further rejected as set forth below in anticipation of 
Applicant amending these claims to place them within the four statutory categories of invention. 
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Double Patenting 

8. The nonstatutory double patenting rejection is based on a judicially created doctrine 
grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or 
improper timewise extension of the "right to exclude" granted by a patent and to prevent possible 
harassment by multiple assignees. A nonstatutory obviousness-type double patenting rejection 
is appropriate where the conflicting claims are not identical, but at least one examined 
application claim is not patentably distinct from the reference claim(s) because the examined 
application claim is either anticipated by, or would have been obvious over, the reference 
claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re 
Goodman, 1 1 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 
USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re 
VogeU 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 
USPQ 644 (CCPA 1969). 

A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may 
be used to overcome an actual or provisional rejection based on a nonstatutory double patenting 
ground provided the conflicting application or patent either is shown to be commonly owned 
with this application, or claims an invention made as a result of activities undertaken within the 
scope of a joint research agreement. 

Effective January 1, 1994, a registered attorney or agent of record may sign a terminal 
disclaimer. A terminal disclaimer signed by the assignee must fully comply with 37 CFR 
3.73(b). 

9. Claims 1-5 are provisionally rejected on the ground of nonstatutory obviousness-type 
double patenting as being unpatentable over claims 1-22 of copending Application No. 
10/825,007. Although the conflicting claims are not identical, they are not patentably distinct 
from each other. 

A later claim that is not patentably distinct from an earlier claim in a commonly owned 
patent is invalid for obvious-type double patenting. In re Berg, 140 F.3d 1428, 1431, 46 
USPQ2d 1226, 1229 (Fed. Cir. 1998). A later patent claim is not patentably distinct from an 
earlier patent claim if the later claim is obvious over, or anticipated by, the earlier claim. In re 
Longi, 759 F.2d at 896, 225 USPQ at 651 (affirming a holding of obviousness-type double 
patenting because the claims at issue were obvious over claims in four prior art patents); In re 
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Berg, 140 F.3d at 1437, 46 USPQ2d at 1233 (Fed. Cir. 1998) (affirming a holding of 
obviousness-type double patenting where a patent application claim to a genus is anticipated by a 
patent claim to a species within that genus). 

Regarding pending claims 1 and 3, these claims appear to be anticipated by claims 1 and 
13 of Application No. 10/825,007. Note that pending claim 1 is a broader version of claim 1 of 
Application No. 10/825,007. Claim 2 merely specifies a type of vulnerability known in the prior 
art, namely race conditions, and further, the detection of race conditions in the context of 
vulnerability checking is likewise known in the prior art (see, e.g., section 4.4.2 of "ITS4: A 
Static Vulnerability Scanner for C and C++ Code," prior art of record), and therefore, claim 2 is 
considered to be not patentably distinct from claim 1 of Application No. 10/825,007. 

Regarding pending claims 4 and 5, these are essentially "computer implemented" 
versions of claims 1, with pending claim 5 further requiring a set of rules in a database for use in 
the detecting. Claims 16 and 17 of Application 10/825,007 appear to anticipate these claims. 

This is a provisional obviousness-type double patenting rejection because the conflicting 
claims have not in fact been patented. 

Claim Rejections - 35 USC § 102 
10. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the 
basis for the rejections under this section made in this Office action: 
A person shall be entitled to a patent unless - 

(b) the invention was patented or described in a printed publication in this or a foreign country or in public use or on 
sale in this country, more than one year prior to the date of application for patent in the United States. 
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1 1 . Claims 1-5 are rejected under 35 U.S.C. 102(b) as being anticipated by Viega et ah, 
"ITS4: A Static Vulnerability Scanner for C and C++ Code" 2000 (prior art of record; 
hereinafter "[Viega]"). 

Regarding claim 1, [Viega] discloses: 

generating a model which describes certain characteristics about the flow of a routine 
(see, e.g., section 4.1), and 

using the model in conjunction with pre-specified criteria for the corresponding routine to 
determine whether the routine calls possess vulnerabilities as a consequence of the flow of the 
routine (see, e.g., section 4.4). 

Regarding claim 2, [Viega] further discloses the vulnerabilities being race conditions 
(see, e.g, section 4.4.2). 

Regarding claim 3, [Viega] further discloses the pre-specified criteria for the 
corresponding routine including rules about the semantic behavior of the routine (see, e.g., 
section 4. 1 and section 4.4.1). 

Regarding claim 4, [Viega] discloses: 

computer implemented logic for generating a model which describes certain 
characteristics about the flow of a routine (see, e.g., section 4.1), and 

computer implemented logic for using the model in conjunction with pre-specified 
criteria for the corresponding routine to determine whether the routine possesses vulnerabilities 
as a consequence of the flow of the routine (see, e.g., section 4.4). 

Regarding claim 5, [Viega] further discloses the computed implemented logic for using 
the model in conjunction with pre-specified criteria for the corresponding routine to determine 
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whether the routine possesses vulnerabilities as a consequence of the flow of the routine 
including a database specifying rules to detect vulnerabilities based on an analysis of the 
argument models (see, e.g., section 4.2). 
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Conclusion 



12. The prior art made of record and not relied upon is considered pertinent to applicant's 
disclosure. 

13. Any inquiry concerning this communication or earlier communications from the 
Examiner should be directed to Eric B. Kiss whose telephone number is (571) 272-3699. The 
Examiner can normally be reached on Tue. - Fri., 7:00 am - 4:30 pm. The Examiner can also be 
reached on alternate Mondays. 

If attempts to reach the Examiner by telephone are unsuccessful, the Examiner's 
supervisor, Tuan Dam, can be reached on (571) 272-3695. The fax phone number for the 
organization where this application or proceeding is assigned is (571) 273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 

Any inquiry of a general nature should be directed to the TC 2100 Group receptionist: 



571-272-2100. 




Eric B. Kiss 
March 29, 2007 



